/
IA - Application and Server Security Policy For Magnetise Group Application Services (Internal Administration)

IA - Application and Server Security Policy For Magnetise Group Application Services (Internal Administration)

About this Document

Scope

This policy is to be read in conjunction with the Information Security Policy and inherits the Roles and Responsibilities and Audit and Review policy of that same document.

1. Introduction

We provide services via Amazon EC2 (AWS). AWS data centres are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control beams as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorised staff must pass two-factor authentication no fewer than three times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff. Amazon only provides data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centres by Amazon employees is logged and audited routinely. Further information on AWS security can be found here:

https://aws.amazon.com/security

2. Network Security

All virtual servers within AWS run on enterprise grade Linux. All servers have been hardened to remove unnecessary services. All servers sit behind a default closed-port firewall with only the necessary ports being open for provision of the intended services.

Within Amazon, servers are located in a Virtual Private Cloud (VPC), with distinct DMZs within the network restricting access to specific resources. Network traffic is restricted into, within, and out of the VPC.

Access to Amazon Web Services management console is restricted to a set of trusted individuals within Magnetise Group with revokable access and 2-Factor authentication.

3. Server Availability and Recovery

All servers are to be virtualised servers within AWS which have multiple points of failover. Virtual servers are spanned across multiple disks. Production data to be held on separate data repositories to the server instance itself with regular internal backups and multiple failover capabilities.

All critical services to be distributed across load balanced arrays of nodes with health monitoring configured for each node monitoring both response and latency. In the event a single node fails, traffic is to be automatically routed to the healthy nodes.

In the case of a single virtual server instance failing, reconstruction of any single production system is targeted to 45 minutes from local server backups, or if necessary, remote backups.

Once a year, the backup restoration process is to be tested and timed.

4. Backup

Risk of long term data loss is to be mitigated by having multiple points of secure backup.

Back up on a daily basis locally within AWS and replicate this backup to amazon S3 that can only be accessed by a set of our trusted administrators. Amazon also makes encrypted and secure backups of their storage system data. Backups are to be encrypted using GPG encryption using the application’s public key. The private key to restore from backup is housed in a securely locked filing cabinet on an encrypted external drive.

5. Server Access

Server access is only to be granted to the set of our trusted administrators, where secure and revokable keys are in effect. A cryptographically secure pseudo-random number generator is to be used to generate the passwords for application access.

Server sessions to timeout if left unattended and the user is forced to log back-in.

No third parties are to have access to the server platforms, customer data or prospect data.

6. Application Access

Account management is controlled by each application.

Account Creation

Accounts created in Lead Intelligence, AdCentre, or Topfox should never have their passwords set at creation time. All new accounts must complete set up through the email activation process. This ensures the account holder has access to the email account and their personal password is protected. Passwords are to be encrypted using a cryptographically secure mechanism such as a salted hash using SHA-256 algorithm with thousands of hash iterations.

Password policy to adhere to the Magnetise Group Information Security Policy password construction guidelines.

Account Activity

  • All user sessions are to expire after 60 minutes of inactivity.

  • Inactive accounts are to expire after 90 days.

  • 5 repeat failed login attempts are to lock the account.

  • Password can only be reset by email to the account holder. Under no circumstances are they to be manually set.

  • All user activity in the relevant application console is to be logged.

7. Monitoring

Service monitoring

All servers are to be monitored from an external network with active alerts being sent both by Email and by SMS to the set of administrators who are enabled to restore services in the unlikely event of a disruption to service. Metrics monitored are to include both web server response, response times, as well as expected content inspection.

Intrusion detection

Host based monitoring is to be implemented on every node within the amazon VPC, with current preferred vendor being OSSEC. Email alerts to be configured to send to the set of trusted administrators as determined by the Information Security Manager.

Logging

All access logs to servers are to be centrally logged to a separate server in a separate subnet in the VPC. Access logs are then emailed to the set of trusted administrators as determined by the Information Security Manager for regular review.

8. Maintenance

All servers operating systems are kept up to date weekly with local package management updates and security patches.

9. Vulnerability Strategy

Once a year we will conduct a vulnerability review. We review our software versions and upgrade or patch them as necessary. We also perform penetration testing at this time.

Internal Penetration Testing

We attempt to penetrate our own systems using the OWASP top 10 list of common vulnerabilities: https://http://www.owasp.org/index.php/Top_10_2013-Top_10

At the end of the penetration testing, any recommendations will be circulated to those that need to be aware of them and re-testing performed after rectification.

Independent Penetration Testing

Where appropriate, we engage an accredited third-party security provider to conduct independent penetration testing of our network and/or web applications. Any vulnerabilities identified during testing are remediated, and if necessary, a follow-up test is scheduled to confirm that all issues have been resolved. For example, we have previously commissioned NCC Group to carry out both Web Application and External Infrastructure assessments.

Report an issue

To report an issue, you can email one of the following senior managers or directors: Peter Gowrie-Smith at petergs@magnetisegroup.com or Sebastian Mosny at sebastianm@magnetisegroup.com. If you prefer to raise a concern in confidence, you may leave an anonymous note on the desk of either director mentioned above.

Review and Revision History

Document created: August 2014
Last reviewed/updated: January 2025